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Information Assurance Requirements 
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Definition of Information Assurance 


¢ Information Assurance (IA) are the methods 
for managing the risks of information assets. 


IA practitioners seek to protect the 
confidentiality, integrity, and availability of 
data and their delivery systems, whether the 
data are in storage, processing, or transit, 
and whether threatened by malice or 
accident. 
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IA is More than Information Security 


¢ IA’s includes reliability and emphasizes risk 
management over tools and tactics. 


¢ |A includes privacy, regulatory compliance, audits, 
business continuity, and disaster recovery. 

¢ IA draws from fraud examination, forensic science, 
military science, systems engineering, security 
engineering, and criminology in addition to computer 
science. 


¢ IA is a superset of information security. 
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Responsibilities 


¢ CIO responsibilities include: 
— Monitoring the reliability of cyber-security; 
— Robustness of cyber-crime protection; 
— Up-time availability of network services; 
— Installation of trusted backup capabilities; 
— Designs for systems redundancy; 


— Capacity for recovery from extreme 
failures. 
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Federal Information Security Management Act of 2002 - 
"FISMA" 


¢ FISMA imposes processes that must be 
followed by information systems used by US 
Government. 

¢ Must follow Federal Information Processing 
standards (FIPS) issued by NIST (National 
Institute of Standards & Technology). 
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Prof. Strass 


FISMA Requirements 


mann 


security controls must be incorporated into system. 
Must meet the security requirements of NIST 800-53. 


security controls must contain the management, 
operational, and technical safeguards or 
countermeasures. 


The controls must be documented in the security 
plan. 
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Homeland Security Presidential Directive HSPD-12 


The White House 


¢ Defines the Federal standard for secure and 
reliable forms of identification: 


¢ Executive departments and agencies shall 
have a program to ensure that identification 
meets the standard; 


¢ Executive departments and agencies shall 
identify information systems that are 
important for security. 
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Required: Public Key Encryption 


Public Key Infrastructure: 

PKI is a service of products which provide and manage X.509 certificates for 
public key cryptography. Certificates identify the individual named in the 
certificate, and bind that person to a particular public/private key pair. DoD 
PKI provides the data integrity, user identification and authentication, user 
non-repudiation, data confidentiality, encryption and digital signature 
services for programs and application, which use the DoD networks 
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A Secure Identity Card 


Digital Photo - ——. Radio Frequency Antenna 


One-Time Password —— ~* Heavy Duty Password 


—+ Electronic Wallet 
r Digital Identify Certificate 


Biometrics - 
* Encryption Key 
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Encryption Policy 


Prof. Strassmann, 


Unclassified data on mobile computing 
devices and removable storage media shall 
be encrypted. 


Encryption is achieved by means of the 
Trusted Platform Module (TPM). Itis a 
microcontroller that can organize and store 
secured information. 

TPM offers facilities for secure generation of 
cryptographic keys 
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What is TPM 


¢ The TPM is a microcontroller that stores keys, 


passwords and digital certificates. 
¢ It is affixed to the motherboard. 


¢ Silicon ensures that the information stored is 
made secure from external software attack 
and physical theft. 


¢ Security processes, such as digital signature 
and key exchange are protected. 

¢ Critical applications such as secure email, 
secure web access and local protection of 
data are assured. 
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MS VISTA Necessary for TPM 


Microsoft: 


Windows Vist; e/ 
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Spending on Information Assurance 


Defense Denartment 


All Others 


Total 1.T. Securitv Soendina 


Total IT Snendina on Trainina and Reoortina 


DoD IA Spendingd’T otal 1.T. Soending 10.3% 10.5% 
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Information Assurance Certification & Accreditation 
Program (DIACAP) 


¢ E-Government Act 


— Title Ill of the E-Government Act, Federal 
Information Security Management Act (FISMA), 
requires Federal departments and agencies to 
develop, document, and implement an 
organization-wide program to provide information 
assurance. DIACAP ensures DoD Certification and 
Accreditation (C&A) is consistent with FISMA, 
DoDD 8500.1 and DoDI 8500.2 

¢ Global Information Grid (GIG) 


— The DIACAP is a central component of GIG IA 
C&A Strategy. DIACAP satisfies the need for a 
dynamic C&A process for the GIG and net-centric 


applications 
16 
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DIACAP Activities 


Decommission 
System 


\\\iil 1] 1 Initiate and Plan 


Register System with DoD 
Component IA Program 


Assign |A Controls 

Assemble DIACAP Team 

Review DIACAP Intent 

Initiate DIACAP Implementation Plan 


Decommission 


Disposition of the DIACAP “=. 
registration information — 
and system-related data tm. 


Implement and Validate 
Assigned IA Controls 


Execute and Update DIACAP 
Implementation Plan 


Conduct Validation Activities 


4 Maintain Authority to Operate 


SS 
and Conduct Reviews ~~ 
\ 


Compile Validation Results 


~ in DIACAP Scorecard 
ws 


Maintain Situational 
Awareness (Revalidation 
of |A Controls must occur 


U% 
at least annually) “yyy 3 Ma 


Impact IA Posture ke Certification Determination 


& Accreditation Decisions 


Issue Certification Determination 
Make Accreditation Decision 
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Designated Approving Authority (DAA) 


¢ Official with the authority to formally assume 
responsibility for operating a system at an 
acceptable level of risk. 
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The Internet 
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Web Looks Simple to the User 


Internet 
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Internet Advantage 


¢ Any properly configured computer can act as 
a host for a personal web-page. 


¢ Any of several hundred million other 
computers can view that personal web-page. 


¢ Any of several hundred million other 
computers can connect to another computer 
capable of delivering an information 
processing service. 
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Internet Protocols: For Identification of Message 
“Packets” 


Message Trailer 
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What ts in an Internet Packet Header 


¢ 4 bits that contain the version, that specifies IPv4 or IPv6 
packet, 


¢ 4 bits that contain the length of the header, 

¢ 8 bits that contain the Type of Service - Quality of Service 
(QoS), 

¢ 16 bits that contain the length of the packet, 


¢ 16 bits identification tag to reconstruct the packet from 
fragments, 


¢ 3 bits flag that says if the packet is allowed to be fragmented or 
not, 


¢ 13 bits identify which fragment this packet is attached to, 

¢ 8 bits that contain the Time to live (TTL) number of hops allowed 
¢ 8 bits that contain the protocol (TCP, UDP, ICMP, etc..) 

¢ 16 bits that contain the Header Checksum,, 

¢ 32 bits that contain the source IP address, 

¢ 32 bits that contain the destination address. 23 
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Problems with Nets and Servers 


¢ Capacity limitations for peak loads; 

¢ Congestion in access to data sources; 

¢ Excessive delays for global access; 

¢ Expensive to scale capacity for growth; 

¢ Problem not in bandwidth, but mostly in switching; 

¢ Depends on reliability and capacity of ISP “peers” to 
forward data to the destination; 

¢ Conflicting economic interests among “peers” can inhibit 
growth and performance. 
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Internet Liabilities 


¢ 1/,000+ partially secure, poorly connected networks with 
practically unlimited number of unverifiable points of access; 

¢ The most frequently used security protocol (SSL- Secure Socket 
Layer authenticates destination servers, but not the sending 
sources); 

¢ Networks are mostly small, with large ISP’s managing less than 
10% of network traffic; 

¢ Performance of the network depends on “peering relationships” 
between ISP (Information Service Providers), each providing 
network capacity and router switching capacity ; 

¢ Delivery of packets cannot be guaranteed because network 
performance determined by routers that may not have sufficient 
capacity to handle traffic spikes. 
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Prof. Strass 


Internet Liabilities - Cont'd. 


ma 


The (BGP) Border Gateway Protocol are ISP instructions for 
forwarding packets from one network link to another. BGP is 
unreliable if router tables are in error; 


Average broad-band web-page download time to LAN can be 
well over 0.5 seconds, if message “packet” traverses several 
“hops’; 

(DNS) Domain Name System can be compromised, by diversion 
of communications; 

Software robots (Botnets) can automatically proliferate and 
convey destructive software such as “worms”, “rootkits” or 
parasitic “malware” such as “Trojans” for finding “backdoors” into 
computers. 


Denial of service attacks can be launched. 
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My Computer Scanned for 72,803 Viruses 


8080 Virus Definitions Info 
Display names containing: | | 
VirusName = ——ss—“‘“<“<i‘isésSOS™S;S;CCCCCCCCC Virus Type 
Backdoor.Optix.05 PC Virus 
Backdoor.Optix.Cli PC Virus 
Backdoor.OptixDDos PC Virus 
Backdoor.OptixPro.10 PC Virus 
Backdoor.OptixPro.10.b PC Virus 
Backdoor.OptixPro.10.c PC Virus 
Backdoor.OptixPro.11 PC Virus 
Backdoor.OptixPro.11.b PC Virus 
Backdoor.OptixPro.12 PC Virus 
Backdoor.OptixPro.12.b PC Virus 
Backdoor.OptixPro.12.c PC Virus 
Backdoor.OptixPro.13 PC Virus 


ie 


33729 virus names found Virus Definitions Date: 8/16/06 


72803 total virus definitions 


| Learn More 
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Internal SNAFUs Cause Most Breaches of Security 


All other (8% 


External Attacks (31% 


Internal Foul-Ups (61% 


SOURCE: Study of 550 security breaches, University of Washington, Computerworld 3/19/07 
28 


Prof. Strassmann, GMU March 27, 2007 Lecture, REPRODUCED BY PERMISSION ONLY 


Security Management Issues 
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Types of Cyber-Threats 


* Denial of service (DoS) 


* Malicious software: Viruses; Worms; Trojans; Logic 
bombs 


* Password crackers 

* Spoofing / masquerading 

* Sniffers 

* Back door/trap door 

* Emanation detection 

* Unauthorized targeted data mining 
* Dumpster diving 

“ Eavesdropping and tapping 

* Social engineering 

* Phishing 


* Lnett 
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Information Operations > Information Assurance 


INFORMATION 
OPERATIONS 


Electronic warfare Electronic attack Destroy, disrupt, delay 
Idantifvy and Incrata thraate 
Electronic warfare support Identify and locate threats 
Electronic protection Protect the use of 
alactramannatice enactriim 
Computer network operations Computer network attack Destroy, disrupt, delay 
Computer network defense Protect computer networks 
Computer network exploitation Gain information about 
camniitar nataarke 
Psychological operations Psychological operations 
Military deception Military deception 
Operations security Operations security 
infarmatian evetame 
Physical security Secure information and 
infarmationn infractriictiira 
Physical attack Destroy, disrupt 
Source: Joint Pub 3-13, 
Infarmatinn OCOnaratinne 
; 5 BY PERIV UN UNLY 
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E-Mail Filtering 


Email sent to: pstrassm@gmu.edu 


Unjunk | View 
Unjunk | Wiew 
Unjunk | View 
Unjunk | Wiew 
Unjunk | View 
Unjunk | Wiew 
Unjunk | Wiew 


From 


vecterpaf ki buytrucksineurop... 


tdeefkj@clientlogic.com 
kozsclwuGmtu-net.ru 


nwyulwklobibenidorm.org 
aw-confirmitheBay.com 


aw-confirmi@eBay.com 


service@ipaypal.com 


Subject 

MS Office 2007 Enterprise ready to download 
Billing report changes 

Download notification 

Download notification 

Urgently Respond Now 

Urgently Respond Now 


Visit Junk Box 


Reason 
Likely Spam 
Likely Spam 
Likely Spam 
Likely Spam 
Phishing 
Phishing 


Your payment has been sent to salesi@wholesaleipod.com Phishing 
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Internet SPAM % of Total E-mail 


H 1 
ups | 
is mm Pew rashe 
a 


Fe SS Sf a ° se ee 
ff NM or ru < x Ran ‘s a ~ 


Percent of Soam with Malicious Attachments 


1.40% 


1.20% 


1.00% 


0.80% 


0.60% 


0.40% 


Percent of spam with malicious attachments 


0.20% 


0.00% 


0.66% 


Soh % 0.54% 


~ 


Jan 2006 Feb 2006 Mar 2006 Apr 2006 May 2006 Jun 2006 


34 


Prof. Strassmann, GMU March 27, 2007 Lecture, REPRODUCED BY PERMISSION ONLY 


Distribution of E-Mail and Spam 


africa asia australia/ europe north south 
oceania america america 


O Percent Internet Mail 


w Percent Internet Spam 
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Buffer of 256 bytes Gets Loaded with 512 bytes 


For example, the following program declares a buffer that is 256 bytes long. However, the program 
attempts to fill t with 512 bytes of the letter “A” (O41). 


int |; 
void function(void ) 


{ 
char buffer[256); /’ create a buffer 


fortl=O;i<51 214+) ff iterate 512 times 
bufferliJ='A’; / copy the letter A 
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Placement of Malicious Code in Overflow Buffer 


Overflow Instead of filling the buffer full of As, a classic exploit will fill the buffer with its own malicious 
code. Also, instead of overwriting the return EIP (where the program will execute next) with random 
bytes, the exploit will overwrite EIP with the address to the buffer, which is now filled with malicious code, 
This causes the execution path to change and causes the program to execute injected malicious code. 


. A fuinction is using a buffer 256 krytes long. The 
program begins to till the butter wath the aitackers: 
ee 


| Mere asthe ballet eden Arrears 
ee pepe ee —— kates vill begin to overfloyy into adjacent memory. 


malicious code here . Firat EBP is overaritten. 
) Old EBF=0x414i4i4l 
Ret. ELP=0200401000 
bealicious code here : edhe lant died dad hs wee 
= pointing beac the malicious code. Now, the 
ee ee program will begin to execute the malicious code. 


Ket ELP=0x0012FD Fs 


3/7 
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Losses from Virus Attacks 


Financial Losses From Specific Virus Attacks in 2004 
(Stated In Billions of US Dollars) 


Bagle 


NetSky 


Sasser 


MyDoom 
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Classes of Malware 


¢ Acomputer virus attaches itself to a program 
or file so it can spread from one computer to 
another, leaving infections as it travels. 


¢ Worms spread from computer to computer, 
but unlike a virus, it has the capability to 
travel without any help from a person. 


¢ A Trojan Horse tricks users into opening them 
because they appear to be receiving 
legitimate software or files from a legitimate 
SOUICe. 
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Pathology of Virus Types 


Rank Sample Type Vectors Impact 

I Polip Virus File sharing, P2P Lowers security settings 

2 Bomka Trojan, Backdoor = Spam Drops other malcode 

3 Gobrena Trojan Spam Downloads Goldun Trojan 

4 Detnat Virus Filesharing Downloads Lineage Trojan 

5 Ecup Worm P2P 

6 Rajump Backdoor N/A Allows remote access 

7 Nebuler | Trojan N/A Sends information to remote sites, 
downloads other threats 

8 Awax Trojan N/A Downloads and installs other threats 

9 Yamanner | Worm Yahoo! Web mail Sends email addresses from contact 
list to a remote host 

10 TopFox | Trojan | N/A Logs keystrokes 
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Trends in Denial of Service Attacks 


Denial of service attacks 


Jan 01, 2006 Jan 29, 2006 Feb 26, 2006 Mar 26, 2006 Apr 23, 2006 May 21, 2006 Jun 18, 2006 
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Concentration of Denial of Service Attacks 


| Proportion of 
Rank Sector attacks 


pa 


Internet Service Provider 
Government 
Telecommunications 
Transportation 
Education 

Accounting 

Utilities / Energy 
Insurance 


2 
c! 
4 
S. 
6 
7 
8 
9 


Financial Services 


\— 
=) 


Information Technology 
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Characteristics of Browser-Based Attacks 


Jan—June 2006 


percent of 


Attack attackers 

1 Multiple Browser Zero Width GIF Image Memory 31% 
Corruption Attack 

Ps Microsoft Internet Explorer DHTML Object Race 19% 
Condition Memory Corruption Attack 

© Microsoft Internet Explorer Remote URLMON.DLL 17% 
Buffer Overflow Attack 

4 Mozilla JavaScript URL Host Spoofing Arbitrary 8% 
Cookie Access Attack 

5 Mozilla Browser BMP Image Decoding Multiple Integer 7% 
Overflow Attack 

6 Microsoft Internet Explorer Bitmap Processing Integer 3% 
Overflow Attack 

7 Mozilla Browser Non-ASCII Hostname Heap 3% 
Overflow Attack 

8 Microsoft Internet Explorer Drag and Drop Attack 3% 

9 Mozilla Multiple URI Processing Heap Based Buffer 2% 
Overflow Attack 

10 Microsoft Internet Explorer HTML Document Directive 2% 
Buffer Overflow Attack 
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Attack on Wireless Devices 


Proportion 
Current of total 
rank Threat threats 


Device Probing for an Access Point 

Spoofed MAC Address 

Unauthorized NetStumbler Client 

Rogue Wireless Access Point 

Unauthentication Association Denial of Service Attack 


— 


Radio Frequency Jamming Denial of Service Attack 
CTS Flood Denial of Service Attack 

Illegal 802.11 Packet 

Potential Honeypot Access Point 

Authentication Flood Denial of Service Attack 


2 
3 
4 
5 
6 
7 
8 
9 


_. 
© 
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Future Prospects 
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Power of Microprocessors 


oO 
So 
Oo 
ct 
+f Mnn 
= 
oO 
oa 
WN 
= 
= 
1/1,000,000 


1ann 104N 19R8N 2000 
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Projected Development of Machine Intelligence 


Computer 
Processing 
Available 


Bactrim 1975 
Worm 


Number of = Equivalent 
Neurons MIPS 


MIPS/ Computing 
$1000 Costs 


— 
Lear 
Mouse 
Monkey 
Huren 
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Implications of “Smart” Attackers 


¢ Viruses are sufficiently smart to learn about 
defenses and reconfigure attacks 
accordingly. 


¢ Static defenses will not work any more. 


¢ Vulnerability is in software and almost none in 
hardware. 


¢ Networks must the capability to actively 
intercept and neutralize the attackers. 


¢ Protection must move from devices (clients) 
and servers to the network. 
A8 
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Summary 


Prof. Strassmann, 


Information Assurance is now the primary 
requirement for designing of government 
networks. 

The virulence of attacks is rising faster than 
the capabilities of defenses. 

Information Assurance will have to migrate 
from defending desktops, laptops and PDAs 
to protecting the network. 

Information Assurance offers attractive career 
opportunities. 
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